[Dshield] PhatBot

Micheal Patterson micheal at tsgincorporated.com
Fri Mar 19 15:23:19 GMT 2004



----- Original Message ----- 
From: "John Sage" <jsage at finchhaven.com>
To: "General DShield Discussion List" <list at dshield.org>
Sent: Thursday, March 18, 2004 8:33 PM
Subject: Re: [Dshield] PhatBot


> Well.
>
> On Thu, Mar 18, 2004 at 04:19:52PM -0500, Paul Marsh wrote:
> > Date: Thu, 18 Mar 2004 16:19:52 -0500
> > From: "Paul Marsh" <pmarsh at nmefdn.org>
> > To: "General DShield Discussion List" <list at dshield.org>
> > Subject: [Dshield] PhatBot
> >
> > Well this is a happy picture the Washington Post painted.
> >
> > "Phatbot Trojan Spreading To More Systems Than Code Red A veritable
> > Swiss Army Knife of attack tools is disabling antivirus tools,
> > stealing passwords, connecting systems to peer-to-peer networks and
> > setting the victim systems up to send spam and DDoS traffic."
> >
> > What's the word on the inside about this nasty thing?  LURGQ's write
> > up is good http://www.lurhq.com/phatbot.html but it doesn't really
> > give any pointers as to what we should be on the look out for.
>
>
> I can tell you that I have seen a major increase in traffic to
> TCP:65506, which may be PhatBot related:
>
<snip>
>
> Over and over and over and over...
>
>
> - John
> -- 
> "Mad cow? You'd be mad too, if someone was trying to eat you."
>

I've had jsut at 63000 hits on that port since Mar 5th on my border fw from
the following systems across the world:

zcat security* |grep 65506 |cut -d " " -f9- |cut -d " " -f -2|cut -d
: -f -1|uniq -c

# Hits Proto IP#
 255 TCP 220.126.126.55
   1 TCP 68.12.22.59
   2 TCP 209.208.0.15
   1 TCP 68.12.22.59
   8 TCP 81.196.126.120
  56 TCP 64.223.51.13
 218 TCP 64.220.71.77
 256 TCP 209.121.82.146
   1 TCP 68.12.22.59
  91 TCP 64.139.110.238
   1 TCP 68.12.22.59
  45 TCP 24.220.233.49
 156 TCP 64.229.135.43
 101 TCP 68.120.190.218
  13 TCP 81.185.241.164
  45 TCP 81.196.126.120
 108 TCP 81.48.19.40
   1 TCP 24.158.161.155
   1 TCP 24.158.161.161
   1 TCP 24.158.166.223
   1 TCP 24.158.161.155
   1 TCP 24.158.161.161
   2 TCP 24.158.166.223
   1 TCP 24.158.161.155
   1 TCP 24.158.161.161
   2 TCP 24.158.166.223
   1 TCP 24.158.161.155
   1 TCP 24.158.161.161
   1 TCP 24.158.161.155
   1 TCP 24.158.161.161
   2 TCP 24.158.166.223
   1 TCP 24.158.161.155
   1 TCP 24.158.161.161
   1 TCP 24.158.166.223
   2 TCP 24.158.161.155
   1 TCP 24.158.161.161
   1 TCP 24.158.166.223
   1 TCP 24.158.161.155
   2 TCP 24.158.161.161
   1 TCP 24.158.161.155
   1 TCP 24.158.166.223
   1 TCP 24.158.161.161
   1 TCP 24.158.166.223
   1 TCP 24.158.161.155
   1 TCP 24.158.161.161
   1 TCP 24.158.166.223
   1 TCP 24.158.161.155
   1 TCP 24.158.161.161
   1 TCP 24.158.166.223
   1 TCP 68.12.22.59
   1 TCP 24.158.161.155
   1 TCP 24.158.161.161
   1 TCP 24.158.166.223
   1 TCP 24.158.161.155
   2 TCP 24.158.166.223
   1 TCP 24.158.161.155
   1 TCP 24.158.161.161
  51 TCP 81.251.30.225
   2 TCP 210.223.114.53
  70 TCP 64.243.68.208
   1 TCP 68.12.22.59
 256 TCP 210.123.136.40
 256 TCP 221.149.33.139
 242 TCP 221.161.210.13
  47 TCP 221.142.148.168
  56 TCP 64.252.121.223
   3 TCP 68.12.22.59
 256 TCP 211.218.27.213
 151 TCP 64.173.8.62
 256 TCP 200.222.215.27
 255 TCP 67.121.170.237
   1 TCP 68.12.22.59
 256 TCP 218.237.63.249
  71 TCP 67.30.59.191
  47 TCP 64.223.35.74
   2 TCP 68.12.22.59
 101 TCP 64.254.252.131
 202 TCP 211.186.92.233
 118 TCP 64.171.190.138
 154 TCP 220.118.32.153
   1 TCP 68.12.22.59
  99 TCP 220.118.32.153
  16 TCP 221.165.175.116
   1 Deny TCP
 256 TCP 218.208.224.97
  88 TCP 67.120.233.252
 209 TCP 64.30.194.196
 140 TCP 64.108.116.226
   2 TCP 81.196.126.120
  51 TCP 69.0.82.117
 256 TCP 162.84.81.56
  67 TCP 81.196.126.120
 173 TCP 66.159.181.81
  68 TCP 64.223.51.107
   1 TCP 64.180.70.131
  80 TCP 81.196.126.120
   3 TCP 69.3.185.126
  34 TCP 64.123.112.194
   1 TCP 24.158.166.223
  47 TCP 213.22.160.169
   1 TCP 24.158.166.223
   1 TCP 68.12.22.59
   1 TCP 24.158.166.223
   1 TCP 67.33.50.210
   1 TCP 67.33.50.212
   1 TCP 67.33.50.210
   1 TCP 67.33.50.212
 174 TCP 68.125.208.170
   1 TCP 67.33.50.210
   2 TCP 67.33.50.212
   1 TCP 24.158.161.155
   2 TCP 24.158.166.223
   1 TCP 67.33.50.210
   1 TCP 67.33.50.212
  15 TCP 81.67.16.45
   1 TCP 67.33.50.210
   1 TCP 67.33.50.212
 256 TCP 67.69.162.126
  58 TCP 81.196.126.120
   1 TCP 24.158.161.155
   1 TCP 24.158.166.223
  60 TCP 24.187.228.23
 114 TCP 81.251.56.205
   1 TCP 24.158.161.155
   1 TCP 24.158.166.223
   1 TCP 24.158.161.155
   2 TCP 24.158.166.223
   1 TCP 67.33.50.210
   1 TCP 67.33.50.212
   1 TCP 24.158.161.155
   1 TCP 24.158.166.223
   1 TCP 68.12.22.59
   1 TCP 24.158.161.155
   1 TCP 24.158.166.223
   2 TCP 24.158.161.155
   1 TCP 24.158.166.223
   1 TCP 67.33.50.212
 158 TCP 64.222.109.168
  38 TCP 24.220.233.49
   1 TCP 24.158.161.155
   1 TCP 24.158.161.161
   1 TCP 24.158.161.155
   1 TCP 24.158.161.161
 140 TCP 65.49.211.172
   1 TCP 24.158.161.155
 110 TCP 64.229.185.15
 255 TCP 61.155.235.243
 195 TCP 217.158.112.163
  34 TCP 66.73.160.226
   4 TCP 81.67.16.45
 199 TCP 66.73.160.226
   1 TCP 68.12.22.59
 140 TCP 64.230.139.121
 188 TCP 64.230.102.228
 202 TCP 24.236.93.50
 231 TCP 205.158.157.195
 174 TCP 64.220.71.77
   1 TCP 68.12.22.59
  59 TCP 66.138.42.124
   1 TCP 68.12.22.59
 255 TCP 64.231.145.20
  35 TCP 81.196.126.120
 368 TCP 68.226.148.161
 116 TCP 61.76.108.118
  32 TCP 211.229.3.198
 256 TCP 211.190.178.166
  38 TCP 211.116.40.13
 276 TCP 61.76.108.118
  42 TCP 200.183.101.17
 255 TCP 68.250.227.21
 256 TCP 220.86.183.76
 255 TCP 220.71.17.173
 252 TCP 220.73.48.237
 255 TCP 134.173.91.115
 255 TCP 168.126.166.133
  18 TCP 203.221.153.103
  21 TCP 213.22.160.169
 255 TCP 61.40.12.199
 254 TCP 220.169.35.152
  65 TCP 219.95.238.196
   5 TCP 61.34.143.82
 255 TCP 219.114.36.177
  66 TCP 211.116.40.13
 254 TCP 220.71.17.173
 140 TCP 61.40.168.196
  71 TCP 200.167.134.127
 420 TCP 213.89.160.29
 256 TCP 168.126.166.133
  34 TCP 202.155.149.158
  64 TCP 61.82.133.108
  74 TCP 68.97.232.63
  61 TCP 217.228.182.12
 195 TCP 24.224.245.240
 254 TCP 219.114.36.177
  25 TCP 217.228.182.12
 212 TCP 65.69.152.164
 255 TCP 162.83.215.39
 224 TCP 61.76.108.118
 255 TCP 221.157.100.165
 255 TCP 211.107.181.168
 191 TCP 24.47.21.71
 255 TCP 221.157.100.165
 242 TCP 211.255.235.237
  71 TCP 81.240.192.84
 162 TCP 218.11.213.132
  96 TCP 63.160.173.21
   3 TCP 65.49.211.172
 203 TCP 61.76.108.118
   1 TCP 24.158.161.155
   2 TCP 24.158.161.161
   1 TCP 24.158.161.155
  51 TCP 80.219.107.32
   1 TCP 24.158.161.155
   1 TCP 24.158.161.161
 101 TCP 68.124.182.208
  31 TCP 203.220.207.232
   1 TCP 24.158.161.161
 152 TCP 213.37.212.232
   2 TCP 24.158.161.155
   1 TCP 24.158.166.223
   1 TCP 24.158.161.155
   1 TCP 24.158.161.161
   1 TCP 24.158.166.223
  97 TCP 209.77.48.14
 255 TCP 66.142.79.179
  10 TCP 67.170.8.103
 187 TCP 82.120.5.226
  34 TCP 81.196.126.120
 201 TCP 65.69.152.164
 256 TCP 221.157.100.165
 255 TCP 66.42.134.204
  33 TCP 213.22.160.169
 101 TCP 81.196.126.120
  76 TCP 24.84.99.12
 111 TCP 4.12.172.129
 201 TCP 218.11.213.132
  58 TCP 219.94.98.10
 256 TCP 210.120.55.58
  67 TCP 61.82.133.108
  52 TCP 203.220.89.182
 252 TCP 210.255.186.185
 255 TCP 206.116.29.86
 165 TCP 61.40.29.245
   5 TCP 219.95.2.19
  73 TCP 68.117.111.88
 246 TCP 211.22.198.27
 253 TCP 211.97.102.233
 255 TCP 61.132.213.43
 248 TCP 82.44.170.145
 255 TCP 211.168.250.214
  66 TCP 211.54.225.105
 255 TCP 220.86.183.76
 256 TCP 210.107.27.196
  52 TCP 213.37.50.164
  54 TCP 80.178.76.130
  36 TCP 203.220.89.182
 254 TCP 211.97.102.233
  58 TCP 212.106.163.199
  65 TCP 220.184.158.214
  99 TCP 212.106.163.199
  99 TCP 220.184.158.214
  98 TCP 212.106.163.199
  91 TCP 220.184.158.214
 136 TCP 207.180.131.187
  42 TCP 208.168.228.176
 250 TCP 66.42.131.139
  56 TCP 68.124.182.208
  28 TCP 80.219.107.32
 245 TCP 211.249.245.181
 131 TCP 208.168.228.176
   6 TCP 69.66.92.195
 131 TCP 66.161.177.117
 256 TCP 210.124.59.92
 217 TCP 220.80.156.17
 229 TCP 64.166.211.130
 256 TCP 221.157.100.165
 225 TCP 211.40.80.53
  41 TCP 81.196.126.120
  10 TCP 66.219.138.135
  50 TCP 138.88.218.243
  95 TCP 24.55.11.147
 254 TCP 221.158.245.122
  66 TCP 218.146.175.202
  79 TCP 208.31.202.2
 247 TCP 210.92.239.129
 256 TCP 168.126.70.68
  42 TCP 66.168.134.224
 255 TCP 221.157.100.161
   2 TCP 219.95.2.19
   5 TCP 24.84.99.12
 256 TCP 210.120.55.58
  46 TCP 202.137.25.185
 251 TCP 211.115.63.146
  43 TCP 24.214.159.6
 189 TCP 211.178.66.25
 209 TCP 66.142.79.179
 255 TCP 61.177.60.194
 256 TCP 216.196.139.25
  13 TCP 211.40.36.80
 107 TCP 81.240.192.84
 256 TCP 24.92.255.141
  92 TCP 66.143.118.61
  40 TCP 62.57.65.59
   9 TCP 67.116.219.116
  32 TCP 68.156.234.162
 180 TCP 203.220.206.20
  56 TCP 200.183.101.17
 174 TCP 202.101.34.131
 142 TCP 212.106.165.124
  27 TCP 213.37.50.164
 256 TCP 210.124.59.92
 255 TCP 66.159.149.221
  30 TCP 216.194.6.29
 139 TCP 82.121.32.146
  92 TCP 24.216.253.72
  50 TCP 219.142.4.5
  47 TCP 212.235.128.185
  44 TCP 24.232.35.144
 256 TCP 219.241.17.138
 238 TCP 82.166.153.213
 179 TCP 210.182.184.151
 165 TCP 212.106.164.178
 255 TCP 61.33.111.30
 111 TCP 4.8.86.36
  65 TCP 213.138.231.209
  35 TCP 200.138.107.20
 256 TCP 68.53.154.193
  32 TCP 67.121.106.8
 255 TCP 202.191.65.93
  25 TCP 61.242.215.66
 244 TCP 217.43.113.24
 255 TCP 83.176.6.29
 238 TCP 210.98.144.152
 105 TCP 212.106.160.242
 256 TCP 24.53.224.205
 256 TCP 168.126.166.211
 221 TCP 210.124.16.16
 255 TCP 210.122.127.33
 144 TCP 211.40.70.181
 232 TCP 211.115.63.109
  48 TCP 213.37.224.170
 255 TCP 220.211.230.201
 256 TCP 61.36.66.145
  38 TCP 213.138.244.154
  50 TCP 202.137.24.194
 210 TCP 82.121.37.215
 254 TCP 80.181.117.50
 254 TCP 168.126.70.90
  23 TCP 211.40.70.181
 176 TCP 81.251.122.178
 256 TCP 219.251.45.32
  48 TCP 68.163.175.143
 230 TCP 61.41.115.92
  67 TCP 4.10.159.131
 239 TCP 211.169.226.220
 255 TCP 61.36.66.163
 255 TCP 61.38.168.195
 256 TCP 220.82.242.214
 255 TCP 24.241.170.191
 255 TCP 65.42.61.11
 254 TCP 168.126.166.211
 214 TCP 211.249.248.48
  46 TCP 24.232.5.2
 101 TCP 82.125.131.211
  44 TCP 200.167.158.130
 244 TCP 68.122.83.218
 233 TCP 210.206.46.211
 256 TCP 210.182.205.232
  15 TCP 218.58.159.128
  43 TCP 200.167.158.130
  73 TCP 63.130.195.84
 173 TCP 129.49.77.198
 267 TCP 61.109.170.75
 255 TCP 130.18.31.243
 255 TCP 61.80.131.133
 255 TCP 192.195.100.74
  42 TCP 4.4.146.192
 253 TCP 209.34.27.114
 255 TCP 82.69.2.243
 254 TCP 211.224.250.210
 255 TCP 61.32.241.244
 113 TCP 213.138.241.83
 255 TCP 81.68.64.122
 196 TCP 220.247.247.61
 256 TCP 69.165.91.80
 256 TCP 61.32.241.244
   1 TCP 68.12.22.59
   3 TCP 213.85.29.136
 109 TCP 80.219.107.32
   1 TCP 68.12.22.59
  94 TCP 80.188.114.251
   1 TCP 68.12.22.59
  13 TCP 81.48.181.158
 246 TCP 202.96.179.133
 255 TCP 24.71.195.71
 246 TCP 219.133.67.160
 124 TCP 209.30.80.211
   1 TCP 68.12.22.59
 121 TCP 66.244.80.171
 255 TCP 211.180.246.211
  17 TCP 213.37.89.199
  62 TCP 24.113.67.213
   1 TCP 24.158.161.155
   1 TCP 24.158.161.161
   1 TCP 24.158.166.223
  97 TCP 61.59.255.165
   1 TCP 24.158.166.223
 246 TCP 219.237.89.70
  19 TCP 24.55.11.147
   1 TCP 24.158.161.161
   1 TCP 24.158.166.223
   1 TCP 68.12.22.59
   1 TCP 24.158.161.155
   1 TCP 24.158.161.161
   2 TCP 24.158.166.223
   2 TCP 68.12.22.59
   1 TCP 24.158.161.155
   1 TCP 24.158.161.161
   1 TCP 24.158.166.223
   1 TCP 68.12.22.59
   1 TCP 24.158.161.161
   1 TCP 24.158.166.223
   1 TCP 24.158.161.161
   1 TCP 24.158.161.155
   1 TCP 24.158.166.223
   1 TCP 24.158.161.155
  99 TCP 202.155.133.133
 255 TCP 203.240.251.60
 150 TCP 68.96.209.115
 210 TCP 209.189.241.23
 255 TCP 211.235.15.76
 255 TCP 211.40.66.220
 612 TCP 221.205.211.57
  67 TCP 200.167.158.130
 139 TCP 202.137.24.194
   1 TCP 213.210.179.184
 256 TCP 210.180.42.134
 256 TCP 202.101.161.218
 255 TCP 61.177.60.194
 255 TCP 211.216.130.199
 256 TCP 202.196.103.12
 256 TCP 210.207.251.136
 241 TCP 211.168.250.214
 256 TCP 210.182.189.246
   1 TCP 68.12.22.59
 253 TCP 220.97.40.188
 239 TCP 61.33.238.156
 256 TCP 210.120.55.58
 255 TCP 61.250.126.229
 255 TCP 168.126.166.211
   2 TCP 218.148.148.98
  76 TCP 211.40.254.100
 130 TCP 211.40.90.9
  92 TCP 211.97.102.233
   1 TCP 68.12.22.59
  32 TCP 213.37.89.199
   2 TCP 68.12.22.59
 256 TCP 61.96.45.147
  22 TCP 210.118.244.22
 252 TCP 61.40.228.111
  71 TCP 211.97.102.233
 241 TCP 219.145.119.38
 250 TCP 219.144.177.59
 177 TCP 69.165.91.80
  36 TCP 221.169.17.198
   1 TCP 68.12.22.59
 511 TCP 61.177.60.194
  24 TCP 202.155.149.166
 232 TCP 211.105.92.213
   1 TCP 68.12.22.59
  23 TCP 211.190.88.171
   1 TCP 24.158.161.155
   1 TCP 24.158.166.223
 141 TCP 211.190.88.171
   1 TCP 24.158.161.155
   1 TCP 24.158.161.161
   1 TCP 24.158.161.155
   1 TCP 24.158.161.161
   2 TCP 24.158.166.223
   3 TCP 68.12.22.59
   1 TCP 24.158.161.155
   1 TCP 24.158.161.161
   1 TCP 24.158.166.223
   4 TCP 200.167.183.95
   1 TCP 68.12.22.59
 243 TCP 212.235.130.123
   1 TCP 68.12.22.59
   1 TCP 24.158.161.155
   1 TCP 24.158.161.161
   1 TCP 24.158.166.223
   1 TCP 68.12.22.59
  63 TCP 162.84.82.112
   1 TCP 24.158.161.155
   1 TCP 24.158.161.161
   1 TCP 24.158.166.223
   1 TCP 24.158.161.155
   1 TCP 24.158.161.161
 165 TCP 62.231.98.189
   1 TCP 24.158.161.155
   1 TCP 24.158.161.161
  38 TCP 63.201.25.219
 256 TCP 210.21.43.124
 251 TCP 211.180.246.204
  31 TCP 82.36.52.21
 182 TCP 61.40.168.196
  27 TCP 82.208.172.186
  22 TCP 217.132.107.183
  73 TCP 69.104.91.242
   3 TCP 68.12.22.59
 255 TCP 141.213.198.114
  23 TCP 24.232.35.144
   1 TCP 68.12.22.59
 252 TCP 202.96.179.133
 148 TCP 61.109.232.54
 256 TCP 210.92.222.89
   5 TCP 221.210.157.42
 167 TCP 213.220.224.11
 255 TCP 202.196.220.153
 175 TCP 61.248.21.162
 242 TCP 211.168.250.214
 255 TCP 61.193.93.242
   1 TCP 24.158.166.223
   1 TCP 24.158.161.155
   1 TCP 24.158.166.223
  89 TCP 210.220.113.176
   1 TCP 24.158.166.223
 255 TCP 210.92.230.138
   1 TCP 24.158.161.155
   1 TCP 24.158.166.223
   1 TCP 24.158.161.155
   3 TCP 24.158.166.223
   1 TCP 24.158.161.155
   1 TCP 24.158.166.223
   2 TCP 24.158.161.155
   1 TCP 24.158.166.223
   1 TCP 24.158.161.155
   2 TCP 24.158.166.223
 168 TCP 210.139.48.46
   1 TCP 24.158.166.223
 234 TCP 219.131.62.26
 253 TCP 219.239.245.250
 236 TCP 219.142.4.6
 159 TCP 211.188.8.163
   1 TCP 68.12.22.59
 255 TCP 211.205.226.47
   3 TCP 68.12.22.59
 251 TCP 219.239.245.250
   1 TCP 68.12.22.59
  52 TCP 213.220.217.228
  76 TCP 211.40.85.251
 256 TCP 211.205.226.47
  37 TCP 210.180.245.140
   1 TCP 68.12.22.59
  60 TCP 202.108.246.105
 253 TCP 219.239.245.250
   4 TCP 68.12.22.59
--

Micheal Patterson
TSG Network Administration
405-917-0600

Confidentiality Notice:  This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message.





More information about the list mailing list